Privacy Policy

Last Updated: September 26, 2025

1. Introduction

This Privacy Policy describes how NABOO GROUP and its affiliates, NABOO ESP, S.L. and NABOO CA Events, Inc. (collectively "Naboo", "we", "us", "our"), collect, use, protect, and share personal data in connection with your use of our platform at the address https://www.naboo.app (the "Platform") and associated services (the "Services").

This policy applies to all personal data collected by Naboo in the context of providing its Services, whether through the Platform, by telephone, by email, or by any other means of communication.

Terms used in this policy, such as "Personal Data", "Processing", and "Controller", as well as references to legal bases (e.g., "Legitimate Interest", "Performance of Contract") shall be interpreted in accordance with the data protection laws applicable to your place of residence (including, but not limited to, the GDPR for Europe, the FADP for Switzerland, Law 25 for Quebec/Canada, the LFPDPPP for Mexico, or the CCPA/CPRA for California).

Please review our General Terms of Use for the definitions of capitalized terms. For more information regarding the use of cookies and similar technologies, please consult our Cookie Policy.

2. Data Controller Identification and Contact Details

2.1. NABOO GROUP as Data Controller

For all personal data that you provide to us directly or that we collect in the context of your use of the Platform, NABOO GROUP, a simplified joint-stock company registered with the Paris Trade and Companies Register under number 904 443 462, with its registered office located at 10 rue de Penthièvre, 75008 Paris, France, acts as the data controller within the meaning of the applicable data protection regulations, depending on your location.

In this capacity, we determine the purposes and means of the processing of your personal data, specifically for:

  • The management and execution of your reservation requests and the organization of your professional events;
  • The operation, maintenance, and continuous improvement of our Platform and Services;
  • Compliance with our legal, regulatory, and contractual obligations;
  • The management of our commercial relationship and the maintenance of our business records.

2.2. Service Providers as Separate Data Controllers

In order to provide our Services, we are required to communicate certain personal data to third-party providers who perform the business travel services you have selected, specifically hotel establishments, seminar venues, transport companies, caterers, and activity providers (hereinafter the "Service Providers").

These Service Providers act as separate data controllers for the data they collect and process in the context of performing their own services. They autonomously determine the purposes and means of such processing, specifically for participant registration, compliance with security requirements, invoicing of their services, or managing their own client relationships.

Each controller is required to ensure their compliance with applicable provisions regarding personal data protection and to provide data subjects with transparent information about their own processing. We recommend that you review the privacy policies of the Service Providers selected for your reservation.

3. Categories of Personal Data Collected

3.1. Data Collected Automatically

When you navigate the Platform, we automatically collect:

  • Connection and navigation data: IP address, browser type and version, operating system, pages viewed, duration of visit, actions taken, traffic source, search keywords used;
  • Location data: Approximate geographic location deduced from your IP address;
  • Device data: Unique device identifiers, technical characteristics of your device.

3.2. Data You Provide to Us Directly

In the context of using our Services, you provide us with the following data:

  • Identification data: First name, last name, job title, employer name;
  • Contact data: Professional email address, professional phone number;
  • Account login data: Username, encrypted password;
  • Transactional data: Reservation history, details of organized events, preferences regarding event organization;
  • Payment data: Information relating to payment methods (processed securely by our PCI-DSS certified payment service provider);
  • Communication data: Content of exchanges with our customer service, sales team, or technical support;
  • Participant data: Number of participants, specific needs regarding accessibility or dietary requirements (collected on a non-nominative basis).

3.3. Data Collected via Social Media Login

If you choose to log in via Google or Microsoft Azure:

  • Authentication Data: First name, last name, email address – depending on the permissions you grant.

3.4. Data from Recordings

Subject to your prior consent:

  • Call recordings: Records of exchanges with our sales teams or customer service for training purposes and service improvement;
  • Conversation transcripts: Records of exchanges via our instant messaging support system.

3.5. Data Obtained from Third Parties

  • Enrichment Data: Public professional information obtained via legitimate B2B databases to complete your professional profile.

4. Purposes and Legal Bases for Processing

We process your personal data on the following legal bases:

Purpose of ProcessingLegal BasisRetention Period
Creation and management of your user accountPerformance of contract (art. 6.1.b GDPR)3 years after last active use
Processing your reservation requests and organizing eventsPerformance of contract (art. 6.1.b GDPR)3 years after the date of the last event
Providing customer support and handling claimsPerformance of contract and legitimate interest (art. 6.1.b and f GDPR)3 years after resolution of the last exchange
Sending marketing communications related to our ServicesConsent (art. 6.1.a GDPR) or legitimate interest for existing clients (art. 6.1.f GDPR)3 years after last contact or withdrawal of consent
B2B commercial prospectingLegitimate interest (art. 6.1.f GDPR)3 years after last exchange
Improvement of our Services and statistical analysisLegitimate interest (art. 6.1.f GDPR)3 years, then irreversible anonymization
Audience measurement and analyticsLegitimate interest (art. 6.1.f GDPR)13 months maximum
Management of accessibility and specific needsLegitimate interest and legal obligations (art. 6.1.c and f GDPR)6 months after the event
Call recording for training and evidentiary purposesLegitimate interest (art. 6.1.f GDPR)12 months
Fraud prevention and Platform securityLegitimate interest (art. 6.1.f GDPR)Duration necessary for the purpose
Management of disputes and pre-litigationLegitimate interest (art. 6.1.f GDPR)5 years after the end of the dispute
Compliance with accounting and tax obligationsLegal obligation (art. 6.1.c GDPR)10 years (French Commercial Code)
Response to requests to exercise GDPR rightsLegal obligation (art. 6.1.c GDPR)5 years after processing the request

Where processing is based on our legitimate interest, we have conducted a balancing test to ensure that our legitimate interests, rights, and freedoms do not override your interests or fundamental rights and freedoms.

5. Recipients of Personal Data

5.1. Types of Recipients

Your personal data is likely to be shared with the following types of recipients:

Within NABOO GROUP:

  • Authorized members of our teams (sales, customer support, technical, legal, finance) within the limits of their respective duties on a need-to-know basis;
  • Our affiliated companies, in compliance with the purposes described in this policy.

Technical Providers: We use carefully selected technical service providers subject to strict contractual data protection clauses:

  • Infrastructure and hosting: Amazon Web Services (Europe data center - Paris region)
  • Authentication services: Google Cloud Platform, Microsoft Azure (SSO login)
  • Payment services: Stripe (PCI-DSS Level 1 certified)
  • Customer relationship management (CRM): HubSpot
  • Communications: Emailing and messaging providers
  • Analytics and performance measurement: Audience analysis solutions

Event service providers: The Providers you select for your event only receive the information necessary to perform their services.

Public Authorities: We may be required to disclose your data to administrative or judicial authorities when such disclosure is necessary for the identification, apprehension, or prosecution of any individual likely to prejudice our rights, or when required by law.

5.2. Guarantees Required from Recipients of Your Data

All of our sub-processors are bound by data processing agreements compliant with Article 28 of the GDPR, ensuring in particular:

  • Processing of data according to our documented instructions;
  • Confidentiality of data;
  • Implementation of appropriate security measures;
  • Compliance with conditions for subsequent sub-processing;
  • Assistance in compliance with our GDPR obligations;
  • Deletion or return of data at the end of the service.

6. Data Transfers Outside of the EU

Your personal data is primarily stored within the European Union.

However, some of our sub-processors may process your data outside the European Economic Area, particularly in the United States. In this case, we ensure the implementation of appropriate safeguards in accordance with GDPR requirements:

  • Standard Contractual Clauses adopted by the European Commission (2021/914);
  • Certification under the data privacy framework where applicable;
  • Additional technical measures (encryption, pseudonymization) where necessary.

You may obtain a copy of these safeguards by contacting our Data Protection Officer.

7. Data Retention Period

We retain your personal data as long as necessary for the purposes for which it was collected, in compliance with legal and regulatory limitation periods.

Data retention architecture:

  • Active Database: Data immediately accessible for operational purposes.
  • Intermediate Archiving: Restricted access for legal obligations or dispute management.
  • Permanent deletion or irreversible anonymization.

Specific durations are detailed in the table in Section 4. At the end of these periods, your data is either securely deleted or irreversibly anonymized.

8. Your Rights

8.1. Rights under the GDPR

In accordance with the provisions of the GDPR, you have the following rights:

  • Right of access: To confirm that your personal data is being processed and to access such data;
  • Right to rectification: To rectify inaccurate or incomplete data;
  • Right to erasure: To erase your data in cases provided for by the applicable regulation;
  • Right to restriction: To restrict processing in cases provided for by the applicable regulation;
  • Right to object: To object to the processing of your data, particularly for prospecting purposes;
  • Right to portability: To receive your data in a structured format and transmit it to another controller;
  • Right to withdraw your consent: Where processing is based on your consent;
  • Right to define post-mortem directives (France only): To define directives regarding the retention, erasure, and communication of your data after your death.

8.2. How to Exercise Your Rights

You may exercise your rights via the following means:

  • Email: dpo@naboo.app
  • Postal Mail: NABOO GROUP - Attn: DPO - 10 rue de Penthièvre, 75008 Paris
  • Platform: To update your information and manage your preferences

We will respond to your request within a maximum of one month from the date of receipt. This period may be extended by two additional months depending on the complexity and number of requests.

8.3. Right to Lodge a Complaint

You have the right to lodge a complaint with the competent supervisory authority (see list in Section 14).

9. Data Security

9.1. Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the following:

  • Encryption of sensitive data in transit (TLS 1.3) and at rest (AES-256);
  • Strict role-based access control and the principle of least privilege;
  • Multi-factor authentication for access to critical systems;
  • Logging and monitoring of access and activities;
  • Regular security tests and compliance audits;
  • Continuous training and awareness-raising for personnel;
  • Business continuity plan and backup procedures.

9.2. Notification in Case of Breach

In the event of a data breach likely to result in a risk to your rights and freedoms, we will:

  • Notify CNIL of the incident within 72 hours;
  • Inform you as soon as possible if the risk is high;
  • Take all necessary measures to remedy the breach and limit its impacts.

10. Cookies and Similar Technologies

Our Platform uses cookies and similar technologies. For detailed information on their use, their purposes, and your configuration options, please read our Cookie Policy.

11. Minors

Our Platform and Services are intended exclusively for professional use and are not intended for persons under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data regarding a minor, we will proceed to delete such data as soon as possible.

12. Changes to this Policy

We reserve the right to modify this privacy policy at any time to adapt it to legislative, regulatory, jurisprudential, and technical developments.

You will be notified of material changes via the Platform or by email. Your continued use of our Services after such notification constitutes acceptance of these changes.

The date of the last update is indicated at the top of the document.

13. Data Protection Officer

For any questions regarding the protection of your personal data or the exercise of your rights, you may contact our Data Protection Officer at:

Email: dpo@naboo.app

Postal Mail:
NABOO GROUP
Attn: Data Protection Officer
10 rue de Penthièvre
75008 Paris, France

14. Specific Provisions by Jurisdiction

Depending on your place of residence, the specific provisions below may apply and supplement this policy.

14.1. Switzerland

For users located in Switzerland, references to the GDPR in this document should be read as references to the Federal Act on Data Protection (FADP).

The Swiss Federal Council recognizes the European Union as having adequate legislation. Transfers to the United States are governed by the Swiss-U.S. Data Privacy Framework.

14.2. United Kingdom

For users located in the United Kingdom, references to the "GDPR" should be read as the UK GDPR and the Data Protection Act 2018.

Data transfers from the United Kingdom to our servers in the European Union are authorized. Transfers to the United States are governed by the UK Extension to the EU-U.S. Data Privacy Framework.

14.3. Canada (Québec)

This section applies to residents of Quebec and supplements the information in this Privacy Policy, in accordance with the Act to modernize legislative provisions as regards the protection of personal information (Law 25).

  • Data Controller: Defined in Article 5 let. j FADP.
  • Legal Bases (Section 4): References to Art. 6 GDPR correspond to those in Art. 31 FADP (Grounds for justification).

Your Rights under Law 25. In addition to the rights set out in Section 8, you have the following rights:

  • Right to enhanced portability: You may request to receive your personal information in a structured and commonly used format, or request its transfer to another organization;
  • Right to de-indexation: You may request cessation of the dissemination of your personal information or deactivation of the link allowing access to this information, if such dissemination violates the law or a court order;
  • Right to be informed of automated decisions: If a decision based exclusively on automated processing concerns you, you have the right to be informed of it and to request that a natural person review this decision.

Consent. In accordance with Law 25, we shall:

  • Obtain your consent in a manifest, free, and informed manner for the collection and use of our personal information;
  • Clearly inform you of the purposes for which your information is collected;
  • Not use your information for purposes other than those for which it was collected without obtaining your prior consent;
  • Allow you to withdraw your consent.

Person in charge of the protection of personal information. In accordance with Law 25, we have designated a person in charge of the protection of personal information. For any question or request, you may contact them at: dpo@naboo.app

14.4. Mexico

This section applies to residents of Mexico and supplements the information in this Privacy Policy, in accordance with the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) and its Regulations.

Your Rights under the LFPDPPP. In accordance with the LFPDPPP, you have the following rights (ARCO):

  • Access: To be aware of your personal data that we process, the purposes for which we process it, and the conditions of the processing;
  • Rectification: To request correction of your personal data, if inaccurate or incomplete;
  • Cancellation (Erasure): To request that your personal data be deleted from our records and databases if you consider that your data is not being used in accordance with the principles, obligations, and duties, as provided for by the regulations;
  • Opposition: To oppose the use of your personal data for specific purposes.

How to Exercise your ARCO Rights. To exercise your ARCO rights, please send a request to dpo@naboo.app with the following information:

  • Your full name and address, or any other contact information where we can reach you with our response;
  • Documents proving your identity or, if applicable, that of your legal representative;
  • A clear and precise description of the personal data for which you wish to exercise your right;
  • Any other information or document that may help to identify your personal data.

We will respond to your request within 20 business days from the date of receipt. This period may be extended under the conditions provided by law.

Limits on the Use of Personal Data. You may limit the use or disclosure of your personal data, or revoke the consent you have given us to process your data, by sending a request to dpo@naboo.app.

Data Transfers. Your personal data may be transferred or processed within or outside of the country by persons or organizations other than this company. In this regard, your information may be shared with the categories of recipients described in Section 5 of this Policy. We will not transfer your personal information to third parties without your consent, except within the framework of exceptions provided for in Article 37 of the LFPDPPP.

14.5. USA (California)

This section applies to residents of California and supplements the information in this Privacy Policy, in accordance with the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2022 (CPRA).

For all US residents. If you reside in the United States and believe that we have not adequately addressed your privacy concerns, you may contact the consumer protection division of your State Attorney General's office. You can locate your State Attorney General here.

For California residents. In addition to the above, California residents have the right to file a complaint regarding our data protection practices with the California Privacy Protection Agency (CPPA).

Categories of Personal Data Collected. Over the last 12 months, we have collected the following categories of personal data:

CategoryExamples
IdentificationName, email address, IP address, account name
Personal Data (Cal. Civ. Code § 1798.80(e))Name, address, phone number, employment, payment information
Commercial InformationReservation history, purchased services
Internet or Network ActivityBrowsing history, interactions with the Platform
Geolocation DataApproximate location via IP address
Professional or employment-related informationJob title, employer name
InferencesPreferences inferred from your activity

Use of Personal Data. We use your personal data for the commercial purposes described in Section 4 of this Privacy Policy.

Disclosure of Personal Data. We may disclose personal data for commercial purposes to the categories of recipients described in Section 5.

We do not sell personal data. We do not share personal data for the purposes of cross-context behavioral advertising.

Your Privacy Rights in California. As a resident of California, you have the following rights:

  • Right to Know: You may request that we inform you of the categories and specific personal data that we have collected about you, the categories of sources, the commercial purposes for collection, and the categories of third parties with whom we share your personal data.
  • Right to Delete: You may request the deletion of your personal data that we have collected, subject to certain exceptions.
  • Right to Rectification: You may request the rectification of inaccurate personal data.
  • Right to Opt-Out: You have the right to opt-out of the sale or disclosure of your personal data. As stated above, we do not sell or share personal data.
  • Right to Limit Use of Sensitive Personal Data: Where applicable, you may limit the use of your sensitive personal data only to purposes necessary for the provision of services you have requested.
  • Right to Non-Discrimination: We will not discriminate against you for the exercise of any of these rights.

How to submit a request. To exercise your rights, you may contact us at the following addresses:

  • E-mail: dpo@naboo.app
  • Postal Mail: NABOO GROUP - Attn: DPO - 10 rue de Penthièvre, 75008 Paris, France

We will verify your identity before processing your request. You may designate an authorized representative to submit your request on your behalf by providing written authorization.

We will respond to verified requests within 45 days. If we require additional time, we will inform you of the reason and the period of extension (up to 45 additional days).

Contact for California privacy requests. For any question regarding your privacy rights in California, contact us at dpo@naboo.app.

15. Supervisory Authorities

If you reside in the European Economic Area, your lead supervisory authority is the CNIL (France).

However, you may also contact your local authority:

CountrySupervisory AuthorityWebsite
FranceCommission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy, 75007 Paris		www.cnil.fr
BelgiumAutorité de la protection des données (APD)
Rue de la Presse 35, 1000 Bruxelles		www.autoriteprotectiondonnees.be
LuxembourgCommission Nationale pour la Protection des Données (CNPD)
15 Boulevard du Jazz, L-4370 Belvaux		www.cnpd.lu
GermanyDie Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Graurheindorfer Str. 153, 53117 Bonn		www.bfdi.bund.de
AustriaÖsterreichische Datenschutzbehörde (DSB)
Barichgasse 40-42, 1030 Wien		www.dsb.gv.at
SpainAgencia Española de Protección de Datos (AEPD)
C/Jorge Juan 6, 28001 Madrid		www.aepd.es
ItalyGarante per la protezione dei dati personali
Piazza Venezia 11, 00187 Roma		www.garanteprivacy.it
The NetherlandsAutoriteit Persoonsgegevens
Hoge Nieuwstraat 8, P.O. Box 93374 2509 AJ Den Haag		https://autoriteitpersoonsgegevens.nl/
SwitzerlandPréposé fédéral à la protection des données et à la transparence (PFPDT)
Feldeggweg 1, CH - 3003 Berne		www.edoeb.admin.ch
United KingdomInformation Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF		www.ico.org.uk
CanadaCommission d'accès à l'information du Québec (CAI)
525, boulevard René-Lévesque Est, bureau 2.36, Québec (Québec) G1R 5S9		www.cai.gouv.qc.ca
MexicoInstituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI)
Insurgentes Sur 3211, Col. Insurgentes Cuicuilco Alcaldía Coyoacán, C.P. 04530 Ciudad de México		www.inai.org.mx
California (USA)California Privacy Protection Agency (CPPA)
400 R Street, Suite 350, Sacramento, CA 95811		www.cppa.ca.gov

NABOO GROUP | Simplified joint-stock company with a capital of 40 714 € | Registered office: 10 rue de Penthièvre, 75008 Paris, France

RCS PARIS 904 443 462 | VAT FR32 904 443 462 | NABOO GROUP is registered under number IM075240016 in the register of travel and holiday operators with Atout France, whose registered office is located at 200/216 rue Raymond Losserand, CS 60043, 75680 PARIS Cedex 14